Privacy rights

Data protection: Can India overcome the spy-security state and big tech to enact a strong law?

The Justice BN Srikrishna committee, tasked with drafting this legislation, faces an unenviable task.

The government has set up a committee headed by Justice BN Srikrishna, a former judge of the Supreme Court, to “identify key data protection issues” and “recommend methods of addressing them”. This is not the Indian state’s first foray into the arena of data protection. In 2010, the Department of Personnel and Training had released a discussion paper and in 2012, there was the Report of the Group of Experts on Privacy Law, formed by the now disbanded Planning Commission.

The new committee comes in the backdrop of a high-voltage Supreme Court hearing on whether privacy is a fundamental right, concerns over Aadhaar, the biometric-based 12-digit unique identification number, and the alleged leak of customer data from Reliance Jio’s database. Although “data protection” sounds rather modest and slightly boring, the Srikrishna committee’s report will have far-reaching ramifications on free speech, privacy, big data innovation, trade ties with the West, the ability of intelligence and security agencies to monitor our communications, and the state’s overall power over the citizen.

Demand for data protection

The demand for a data protection law is years old, voiced most strongly by the National Association of Software and Services Companies, one of the most powerful industry lobby groups in India. The association wants a data protection law to enable the information technology and outsourcing industry get more business from the European Union. A data protection law would help India get “data secure” status from the EU. Currently, India is not deemed data secure under Article 25 of the EU’s Data Protection Directive, which governs the transfer of EU citizens’ data to other countries. The association’s effort, though, has not yielded much, not least because it is opposed by one of the most powerful arms of the Indian state – the intelligence agencies.

According to media reports, the intelligence agencies have demanded a blanket exemption from any data protection law. This should not be surprising given that these agencies are soon operationalising the Central Monitoring System, which will grant them the capacity to surveil all communication networks in India, telephonic or online.

But granting a blanket exemption to the intelligence agencies will likely fall foul of the EU law. After Edward Snowden disclosed the extent of American surveillance of the internet in 2013, the EU had declared, “Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced.” Soon after, the European Court of Justice ruled that a treaty allowing companies to transfer data from EU to the United States was in violation of the EU’s data protection law because of the National Security Agency’s mass surveillance of internet companies. That ruling opened a Pandora’s box for internet companies.

In India, there has been little discussion on how the country’s intelligence agencies operate. Most of our intelligence agencies operate under the authority of vague executive orders, and the Parliament does not have a clue about how they operate. In fact, there is a long-pending litigation in the Karnataka High Court challenging the legality of the Intelligence Bureau. Filed by a former officer of the Bureau, it contends that the agency was created in 1887 by the British and lacks any constitutional or statutory foundations.

The only major judicial challenge to the intelligence establishment was mounted in 1996, when the People’s Union for Civil Liberties challenged the government’s phone tapping powers. They wanted phone tapping declared unconstitutional unless it was authorised by a court warrant. The court, however, allowed the executive to conduct phone tapping without any authorisation provided a high-level committee of bureaucrats reviewed the order. Little information is publicly available on the efficacy of these oversight committees. However, given the revelation about the stalking of a lady by two Gujarati politicians, it would be safe to assume that things aren’t working as expected. Less known but equally terrifying is the GVK Bio case, where the company identified a whistle-blower with the help of the Hyderabad police, using the metadata of the whistle-blower’s mobile phone and email. The company, subsequently, started criminal proceedings against the whistle-blower.

No data protection law can be effective unless there is a check on the government’s power to access our data, over the telephone or on the internet. To identify problems in data protection and propose solutions, the Srikrishna committee would have to ask the intelligence agencies, police, and private telecom and internet companies to reveal their playbook.

Need for data innovation

Notwithstanding the lobbying power of the National Association of Software and Services Companies, there is growing realisation that the outsourcing-service business model of India’s big IT companies, which form the association, is losing steam. The recent spate of layoffs brought about by increased automation has sharply bared the limits of this model. Indian techies are finally realising the need to innovate and develop software products. In fact, this realisation has prompted some sections of the software industry to form i-Spirit: Indian Software Product Industry Round Table. In its own words, this lobby aims “to transform India into a hub for new generation software products”. A lot of these new products would be fuelled by big data, much like Google or Facebook. The reason Google and Facebook have been able to develop a large suite of services and provide them virtually free to consumers is that they have harnessed their users’ data to provide advertising and other services.

One key reason attributed to the phenomenal growth of Google and Facebook is that the US does not have an EU-style privacy regime. American internet companies find EU data protection laws bothersome because they restrict how these companies use consumers’ data. To enforce these laws, the EU has an elaborate bureaucracy with the power to levy back-breaking fines on violators. The Americans, on the other hand, follow a system of users and service providers entering into standard form contracts. Although the US has some sector-specific privacy legislation – including for government and financial data – it does not have omnibus data protection legislation like the EU. American companies are thus perceived to be more innovative in the field of big data.

American internet companies such as Google and Facebook find EU data protection laws bothersome because they restrict how these companies use consumers’ data. Photo credit: AFP
American internet companies such as Google and Facebook find EU data protection laws bothersome because they restrict how these companies use consumers’ data. Photo credit: AFP

While the National Association of Software and Services Companies would want European-style data protection legislation so that India can qualify for a data secure status from the EU, more innovative lobbies such as i-Spirit would seek a more relaxed American-style system of voluntary contracts. Aiding the Indian innovators will be the public policy professionals of Google and Facebook. Four years ago, Outlook reported how Google was funding an incredible range of policy ventures in India, from PRS to a centre at the National Law University, and questioning whether the tech giant’s funding was transparent enough. There is little doubt that Google wields formidable soft power in India, not only because it funds policy ventures but also because it is one of the most recognised and trusted internet brands in the country.

There is much to agree with Google’s and Facebook’s approach to data, but the problem is that their dispute resolution clause requires Indians to sue only before courts in California, US. That neither company has provided for a forum in India to resolve the privacy concerns of Indian users gives the impression they aren’t interested in empowering them.

The more complicated question is whether Google and Facebook can circumvent the proposed data protection legislation through private contracts governed by American law. Even today, most US internet companies are clear that the terms of use between them and Indian users are governed by American law, hence the insistence on US courts for enforcement. Should this freedom of contract be respected or should the Indian state nullify all such contracts that don’t abide by Indian law? By doing so, will India unwittingly thwart future start-ups that may have the potential to be the next Google or Facebook, and will Indians lose out on those competing services?

In any event, the US usually bats for Google and Facebook and there is every likelihood this matter be a key sticking point between India and the US, as is the case now between the US and EU.

Effect on trade ties 

One of the key aspects of trade talks in recent years has been data localisation, whereby countries force big data firms to retain data within their territories. This requires the companies to ensure that they set up servers and data banks in each country, so that their citizens’ data is not transmitted to the home countries of the big companies. Forcing companies to locate their servers and data banks domestically makes it easier for national governments to force them to cooperate on surveillance. Last year, China enacted a data protection law with a broad provision on data localisation. India will likely try to have a similar provision in its proposed law. In fact, some years ago, the government tried to force Blackberry to set up local servers in India. Then, Blackberry was one of the few companies providing an encrypted messaging service in the country.

Of late, though, major trade agreements have sought to reportedly prohibit data localisation, including the now junked Trans-Pacific Partnership and the Regional Comprehensive Economic Partnership, which is still being negotiated. The logic for prohibiting data localisation is simple: it increases the cost of business and creates inefficiencies. Since trade talks are a two-way street, India needs to strategise the cost of adopting an aggressive data localisation policy. The Americans are in a fiercely protectionist mode and are likely to lash out against India for any steps that harm US companies such as Facebook and Google. However, as one of the most lucrative markets for Facebook and Google, India does have some negotiating power to push back against the Americans.

Effect on journalism

A less discussed aspect of data protection and privacy laws is the impact they have on free speech. As I have previously explained, the right to privacy has often been invoked by powerful people to stop publication of their biographies or production of biopics. A data protection law that provides for remedies like damages and possibly imprisonment may greatly complicate investigative journalism, which relies on data or information gathered without the permission of the people it belongs to. Consent, after all, is likely to be the centerpiece of any data protection law.

Can the media then carry out stings and record people in private spaces without their permission? What happens if a whistle-blower from a private organisation leaks confidential information? The EU data protection law provides for an exception for journalistic purposes, but the provision is so vaguely worded it can have a chilling effect on journalists. Would the media outlets that broke stories on the Essar leaks, Radia tapes, Birla-Sahara diaries have done so if they risked lawsuits or imprisonment for breach of privacy?

One law for all?

One of the important questions that will have to be settled by the Srikrishna committee is whether the proposed data protection legislation should cover both public and private sectors? Unlike the Indian state, which has a coercive and often paternalistic relationship with the citizen, private companies offer services that are entirely voluntary. If you don’t like Facebook, for example, you are free not to use it.

Should both relationships then be held to the same standard of conduct, and if not, should there be separate laws with a higher onus being placed on the state?

Theoretically, there already exists a privacy right for all personal data held by the government. This right flows from Section 8 of the Right to Information Act, 2005. The Department of Personnel and Training has recognised the width of this right, instructing all ministries and departments to not release any private details disclosed on the Right to Information applications because the same would violate the privacy rights of citizens. The order came after a petition was filed in the Calcutta High Court challenging the government’s practice of publishing all RTI applications without redacting personal details. The logic of this order can be extended to virtually all personal information held by the state. The challenge lies in creating a workable enforcement mechanism, and given the complexity of government in India, this aspect deserves its own special law. At any rate, the Srikrishna committee should consider having two separate laws.

Prashant Reddy is a professor at the National Academy for Legal Studies and Research, Hyderabad. He is the author of India’s Intellectual Property Dilemmas.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

“My body instantly craves chai and samosa”

German expats talk about adapting to India, and the surprising similarities between the two cultures.

The cultural similarities between Germany and India are well known, especially with regards to the language. Linguists believe that Sanskrit and German share the same Indo-Germanic heritage of languages. A quick comparison indeed holds up theory - ratha in Sanskrit (chariot) is rad in German, aksha (axle) in Sanskrit is achse in German and so on. Germans have long held a fascination for Indology and Sanskrit. While Max Müller is still admired for his translation of ancient Indian scriptures, other German intellectuals such as Goethe, Herder and Schlegel were deeply influenced by Kalidasa. His poetry is said to have informed Goethe’s plays, and inspired Schlegel to eventually introduce formal Indology in Germany. Beyond the arts and academia, Indian influences even found their way into German fast food! Indians would recognise the famous German curry powder as a modification of the Indian masala mix. It’s most popular application is the currywurst - fried sausage covered in curried ketchup.

It is no wonder then that German travellers in India find a quite a lot in common between the two cultures, even today. Some, especially those who’ve settled here, even confess to Indian culture growing on them with time. Isabelle, like most travellers, first came to India to explore the country’s rich heritage. She returned the following year as an exchange student, and a couple of years later found herself working for an Indian consultancy firm. When asked what prompted her to stay on, Isabelle said, “I love the market dynamics here, working here is so much fun. Anywhere else would seem boring compared to India.” Having cofounded a company, she eventually realised her entrepreneurial dream here and now resides in Goa with her husband.

Isabelle says there are several aspects of life in India that remind her of home. “How we interact with our everyday life is similar in both Germany and India. Separate house slippers to wear at home, the celebration of food and festivals, the importance of friendship…” She feels Germany and India share the same spirit especially in terms of festivities. “We love food and we love celebrating food. There is an entire countdown to Christmas. Every day there is some dinner or get-together,” much like how Indians excitedly countdown to Navratri or Diwali. Franziska, who was born in India to German parents, adds that both the countries exhibit the same kind of passion for their favourite sport. “In India, they support cricket like anything while in Germany it would be football.”

Having lived in India for almost a decade, Isabelle has also noticed some broad similarities in the way children are brought up in the two countries. “We have a saying in South Germany ‘Schaffe Schaffe Hausle baue’ that loosely translates to ‘work, work, work and build a house’. I found that parents here have a similar outlook…to teach their children to work hard. They feel that they’ve fulfilled their duty only once the children have moved out or gotten married. Also, my mother never let me leave the house without a big breakfast. It’s the same here.” The importance given to the care of the family is one similarity that came up again and again in conversations with all German expats.

While most people wouldn’t draw parallels between German and Indian discipline (or lack thereof), Germans married to Indians have found a way to bridge the gap. Take for example, Ilka, who thinks that the famed differences of discipline between the two cultures actually works to her marital advantage. She sees the difference as Germans being highly planning-oriented; while Indians are more flexible in their approach. Ilka and her husband balance each other out in several ways. She says, like most Germans, she too tends to get stressed when her plans don’t work out, but her husband calms her down.

Consequently, Ilka feels India is “so full of life. The social life here is more happening; people smile at you, bond over food and are much more relaxed.” Isabelle, too, can attest to Indians’ friendliness. When asked about an Indian characteristic that makes her feel most at home, she quickly answers “humour.” “Whether it’s a taxi driver or someone I’m meeting professionally, I’ve learnt that it’s easy to lighten the mood here by just cracking a few jokes. Indians love to laugh,” she adds.

Indeed, these Germans-who-never-left as just diehard Indophiles are more Indian than you’d guess at first, having even developed some classic Indian skills with time. Ilka assures us that her husband can’t bargain as well as she does, and that she can even drape a saree on her own.

Isabelle, meanwhile, feels some amount of Indianness has seeped into her because “whenever its raining, my body instantly craves chai and samosa”.

Like the long-settled German expats in India, the German airline, Lufthansa, too has incorporated some quintessential aspects of Indian culture in its service. Recognising the centuries-old cultural affinity between the two countries, Lufthansa now provides a rich experience of Indian hospitality to all flyers on board its flights to and from India. You can expect a greeting of Namaste by an all-Indian crew, Indian food, and popular Indian in-flight entertainment options. And as the video shows, India’s culture and hospitality have been internalized by Lufthansa to the extent that they are More Indian Than You Think. To experience Lufthansa’s hospitality on your next trip abroad, click here.

Play

This article was produced by the Scroll marketing team on behalf of Lufthansa as part of their More Indian Than You Think initiative and not by the Scroll editorial team.